Advanced cross-reference generation for IDA Pro, designed to extend Mandiant XRefer
XrefGen is a professional-grade cross-reference generator that detects indirect references and complex control-flow patterns that IDA Pro may miss. It is designed to feed Mandiant XRefer with additional user xrefs in the exact format the plugin expects.
It is especially useful for:
- Modern compiled languages (Rust, Go, C++)
- Obfuscated malware (CFF, opaque predicates, string tricks)
- Packed or heavily optimized binaries
- Multi-architecture targets
| Feature | Description |
|---|---|
| XRefer-Compatible Output | Writes 0xSRC,0xDST lines matching XRefer parser |
| Modular Analyzer System | Enable/disable analyzers individually |
| Incremental & Cached Analysis | Only re-analyze modified functions |
| Confidence Scoring | Each xref has a confidence score |
| Evidence Tracking | Evidence is exported in detailed/JSON/CSV formats |
| Multi-Architecture | x86, x64, ARM, ARM64, MIPS, WASM |
- x86 / x64
- ARM / ARM64
- MIPS
- WebAssembly (WASM)
-
Data Flow Analyzer
- Taint tracking from sources to sinks
- Pointer chains and indirect call propagation
- Reaching-defs and CFG-based heuristics
-
Graph Analyzer
- Call-graph edges
- Hubs, cycles, wrapper detection
- Vtable and callback patterns
-
Obfuscation Analyzer
- Control-flow flattening (CFF)
- Opaque predicates
- String encryption patterns
- Anti-analysis heuristics
-
Architecture Analyzer
- Cross-architecture register resolution
- ABI-aware calling convention logic
-
Hex-Rays / Decompiler Evidence
- Extracts high-confidence refs from decompiled views (when available)
XRefer expects user xrefs at:
<IDB_PATH>_user_xrefs.txt
XrefGen now writes outputs with the IDB prefix by default, matching XRefer’s expectations.
<IDB_PATH>_user_xrefs.txt
Format (strict):
0xSRC,0xDST
<IDB_PATH>_user_xrefs_details.txt
<IDB_PATH>_user_xrefs.json
<IDB_PATH>_user_xrefs.csv
<IDB_PATH>_user_xrefs_taint.txt
- Copy the
xrefgenfolder into your IDA scripts directory. - Open your binary in IDA Pro 9.2+.
- Run:
- Script mode:
File > Script file...orAlt+F7onxrefgen.py - Plugin mode: copy
xrefgen_plugin.pyinto IDAplugins/and run XrefGen fromEdit > Plugins.
- Script mode:
# Run full analysis
exec(open("path/to/xrefgen.py").read())Configuration lives in xrefgen_config.json.
Important output keys:
"general": {
"output_name_mode": "idb",
"txt_format": "xrefer",
"txt_include_evidence": false
}output_name_mode: "idb"→ uses<IDB_PATH>_user_xrefs.txttxt_format: "xrefer"→ strict0xSRC,0xDST- Set
txt_format: "extended"if you want extra columns
Huge thanks to Mandiant for building XRefer and open-sourcing it. This project is specifically designed to augment XRefer workflows and would not exist without their excellent work.
If you find XrefGen useful, consider supporting its development:
Made to extend IDA Pro analysis and supercharge XRefer workflows